package/openssl/patches/900-CVE-2009-2409.patch

   1 http://bugs.gentoo.org/280591
   2
   3 fix from upstream
   4
   5 http://cvs.openssl.org/chngview?cn=18260
   6
   7 --- a/crypto/evp/c_alld.c
   8 +++ b/crypto/evp/c_alld.c
   9 @@ -64,9 +64,6 @@
  10
  11  void OpenSSL_add_all_digests(void)
  12         {
  13 -#ifndef OPENSSL_NO_MD2
  14 -       EVP_add_digest(EVP_md2());
  15 -#endif
  16  #ifndef OPENSSL_NO_MD4
  17         EVP_add_digest(EVP_md4());
  18  #endif
  19 --- a/crypto/x509/x509_vfy.c
  20 +++ b/crypto/x509/x509_vfy.c
  21 @@ -986,7 +986,11 @@ static int internal_verify(X509_STORE_CT
  22         while (n >= 0)
  23                 {
  24                 ctx->error_depth=n;
  25 -               if (!xs->valid)
  26 +
  27 +               /* Skip signature check for self signed certificates. It
  28 +                * doesn't add any security and just wastes time.
  29 +                */
  30 +               if (!xs->valid && xs != xi)
  31                         {
  32                         if ((pkey=X509_get_pubkey(xi)) == NULL)
  33                                 {
  34 @@ -996,13 +1000,6 @@ static int internal_verify(X509_STORE_CT
  35                                 if (!ok) goto end;
  36                                 }
  37                         else if (X509_verify(xs,pkey) <= 0)
  38 -                               /* XXX  For the final trusted self-signed cert,
  39 -                                * this is a waste of time.  That check should
  40 -                                * optional so that e.g. 'openssl x509' can be
  41 -                                * used to detect invalid self-signatures, but
  42 -                                * we don't verify again and again in SSL
  43 -                                * handshakes and the like once the cert has
  44 -                                * been declared trusted. */
  45                                 {
  46                                 ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE;
  47                                 ctx->current_cert=xs;
  48 --- a/ssl/ssl_algs.c
  49 +++ b/ssl/ssl_algs.c
  50 @@ -92,9 +92,6 @@ int SSL_library_init(void)
  51         EVP_add_cipher(EVP_seed_cbc());
  52  #endif
  53
  54 -#ifndef OPENSSL_NO_MD2
  55 -       EVP_add_digest(EVP_md2());
  56 -#endif
  57  #ifndef OPENSSL_NO_MD5
  58         EVP_add_digest(EVP_md5());
  59         EVP_add_digest_alias(SN_md5,"ssl2-md5");